ScreenConnect.ClientSetup (6).exe
This report is generated from a file or URL submitted to this webservice on May 19th 2016 18:23:06 (UTC)
Guest System: Windows 7 32 bit, Home Premium, 6.1 (build 7601), Service Pack 1
Report generated by
Falcon Sandbox v4.20 © Hybrid Analysis
Incident Response
Risk Assessment
- Fingerprint
-
Reads the active computer name
Reads the cryptographic machine GUID - Network Behavior
- Contacts 1 domain and 1 host. View all details
Indicators
Not all malicious and suspicious indicators are displayed. Get your own cloud service or the full version to view all details.
-
Malicious Indicators 2
-
General
-
The input sample dropped a file that was identified as malicious
- details
- 1/57 Antivirus vendors marked dropped file "MSI5B82.tmp" as malicious (classified as "BehavesLike.Downloader" with 1% detection rate)
- source
- Binary File
- relevance
- 10/10
-
The input sample dropped a file that was identified as malicious
-
Installation/Persistance
-
Allocates virtual memory in foreign process
- details
- "<Input Sample>" allocated memory in "%WINDIR%\System32\msiexec.exe"
- source
- API Call
- relevance
- 7/10
-
Allocates virtual memory in foreign process
-
Suspicious Indicators 24
-
Anti-Detection/Stealthyness
-
Queries kernel debugger information
- details
- "<Input Sample>" at 00025067-00001616-00000105-63543968
- source
- API Call
- relevance
- 6/10
-
Sets the process error mode to suppress error box
- details
- "<Input Sample>" set its error mode to SEM_NOOPENFILEERRORBOX
- source
- API Call
- relevance
- 8/10
-
Queries kernel debugger information
-
Anti-Reverse Engineering
-
Contains ability to register a top-level exception handler (often used as anti-debugging trick)
- details
-
SetUnhandledExceptionFilter@KERNEL32.DLL from PID 00001616
SetUnhandledExceptionFilter@KERNEL32.DLL from PID 00001616
SetUnhandledExceptionFilter@KERNEL32.DLL from PID 00001616
SetUnhandledExceptionFilter@KERNEL32.DLL from PID 00001616 - source
- Hybrid Analysis Technology
- relevance
- 1/10
-
PE file has unusual entropy sections
- details
- .rsrc with unusual entropies 7.01769287745
- source
- Static Parser
- relevance
- 10/10
-
Contains ability to register a top-level exception handler (often used as anti-debugging trick)
-
Environment Awareness
-
Possibly tries to detect the presence of a debugger
- details
-
GetProcessHeap@KERNEL32.DLL from f2b098cea47ede322e0843a3b4230e1e71407bb9f3eabcafc214a1bd6f5cc8d1.exe (PID: 1616) (Show Stream)
GetProcessHeap@KERNEL32.DLL from f2b098cea47ede322e0843a3b4230e1e71407bb9f3eabcafc214a1bd6f5cc8d1.exe (PID: 1616) (Show Stream) - source
- Hybrid Analysis Technology
- relevance
- 1/10
-
Reads the cryptographic machine GUID
- details
- "<Input Sample>" (Path: "HKLM\SOFTWARE\MICROSOFT\CRYPTOGRAPHY"; Key: "MACHINEGUID")
- source
- Registry Access
- relevance
- 10/10
-
Possibly tries to detect the presence of a debugger
-
General
-
Contains ability to find and load resources of a specific module
- details
-
FindResourceW@KERNEL32.DLL from f2b098cea47ede322e0843a3b4230e1e71407bb9f3eabcafc214a1bd6f5cc8d1.exe (PID: 1616) (Show Stream)
FindResourceW@KERNEL32.DLL from f2b098cea47ede322e0843a3b4230e1e71407bb9f3eabcafc214a1bd6f5cc8d1.exe (PID: 1616) (Show Stream) - source
- Hybrid Analysis Technology
- relevance
- 1/10
-
Reads configuration files
- details
- "<Input Sample>" read file "%USERPROFILE%\Desktop\desktop.ini"
- source
- API Call
- relevance
- 4/10
-
Contains ability to find and load resources of a specific module
-
Installation/Persistance
-
Creates/touches files in windows directory
- details
-
"<Input Sample>" created file "%WINDIR%\Microsoft.NET\Framework\v1.0.3705\clr.dll"
"<Input Sample>" created file "%WINDIR%\Microsoft.NET\Framework\v1.0.3705\mscorwks.dll"
"<Input Sample>" created file "%WINDIR%\Microsoft.NET\Framework\v1.1.4322\clr.dll"
"<Input Sample>" created file "%WINDIR%\Microsoft.NET\Framework\v1.1.4322\mscorwks.dll"
"<Input Sample>" created file "%WINDIR%\Microsoft.NET\Framework\v2.0.50727\clr.dll"
"<Input Sample>" created file "%WINDIR%\Microsoft.NET\Framework\v2.0.50727\mscorwks.dll"
"<Input Sample>" created file "%WINDIR%\Microsoft.NET\Framework\v4.0.30319\clr.dll"
"<Input Sample>" created file "%WINDIR%\Microsoft.NET\Framework\v4.0.30319\config\machine.config"
"<Input Sample>" created file "%WINDIR%\Microsoft.NET\Framework\v4.0.30319\ngen.log"
"<Input Sample>" created file "%WINDIR%\Globalization\Sorting\sortdefault.nls"
"<Input Sample>" created file "%WINDIR%\assembly\NativeImages_v4.0.30319_32\mscorlib\51e2934144ba15628ba5a31be2dae7dc\mscorlib.ni.dll.aux"
"<Input Sample>" created file "%WINDIR%\system32\rsaenh.dll"
"<Input Sample>" created file "%WINDIR%\assembly\pubpol47.dat"
"<Input Sample>" created file "%WINDIR%\assembly\NativeImages_v4.0.30319_32\System\e40da7a49f8c3f0108e7c835b342f382\System.ni.dll.aux"
"<Input Sample>" created file "%WINDIR%\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll"
"<Input Sample>" created file "%WINDIR%\Microsoft.NET\Framework\v4.0.30319\SortDefault.nlp"
"<Input Sample>" created file "%WINDIR%\system32\en-US\KERNELBASE.dll.mui"
"<Input Sample>" created file "%WINDIR%\system32\OLEACCRC.DLL" - source
- API Call
- relevance
- 7/10
-
Drops executable files
- details
- "MSI5B82.tmp" has type "PE32 executable (DLL) (GUI) Intel 80386 for MS Windows"
- source
- Binary File
- relevance
- 10/10
-
Creates/touches files in windows directory
-
System Security
-
Modifies proxy settings
- details
-
"<Input Sample>" (Access type: "DELETEVAL"; Path: "HKCU\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS\ZONEMAP"; Key: "PROXYBYPASS")
"<Input Sample>" (Access type: "DELETEVAL"; Path: "HKLM\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS\ZONEMAP"; Key: "PROXYBYPASS") - source
- Registry Access
- relevance
- 10/10
-
Opens the Kernel Security Device Driver (KsecDD) of Windows
- details
- "<Input Sample>" opened "\Device\KsecDD"
- source
- API Call
- relevance
- 10/10
-
Queries sensitive IE security settings
- details
- "<Input Sample>" (Path: "HKCU\SOFTWARE\MICROSOFT\INTERNET EXPLORER\SECURITY"; Key: "DISABLESECURITYSETTINGSCHECK")
- source
- Registry Access
- relevance
- 8/10
-
Queries the display settings of system associated file extensions
- details
-
"<Input Sample>" (Access type: "QUERYVAL"; Path: "HKCR\SOFTWARE\CLASSES\SYSTEMFILEASSOCIATIONS\.EXE"; Key: "ALWAYSSHOWEXT")
"<Input Sample>" (Access type: "QUERYVAL"; Path: "HKCR\SOFTWARE\CLASSES\SYSTEMFILEASSOCIATIONS\.EXE"; Key: "NEVERSHOWEXT") - source
- Registry Access
- relevance
- 7/10
-
Modifies proxy settings
-
Unusual Characteristics
-
CRC value set in PE header does not match actual value
- details
-
"f2b098cea47ede322e0843a3b4230e1e71407bb9f3eabcafc214a1bd6f5cc8d1.exe.bin" claimed CRC 1792105 while the actual is CRC 1833968
"MSI5B82.tmp" claimed CRC 193043 while the actual is CRC 351459 - source
- Static Parser
- relevance
- 10/10
-
Contains embedded string with suspicious keywords
- details
-
Found suspicious keyword "Windows" which indicates: "May enumerate application windows (if combined with Shell.Application object)"
Found suspicious keyword "Put" which indicates: "May write to a file (if combined with Open)"
Found suspicious keyword "Lib" which indicates: "May run code from a DLL"
Found suspicious keyword "Write" which indicates: "May write to a file (if combined with Open)"
Found suspicious keyword "Shell" which indicates: "May run an executable file or a system command"
Found suspicious keyword "Binary" which indicates: "May read or write a binary file (if combined with Open)"
Found suspicious keyword "Open" which indicates: "May open a file" - source
- File/Memory
- relevance
- 10/10
-
Imports suspicious APIs
- details
-
UnhandledExceptionFilter
CreateFileW
FindResourceW
LoadLibraryW
GetProcAddress
LockResource
GetCommandLineA
IsDebuggerPresent
GetModuleHandleExW
WriteFile
GetModuleFileNameW
GetStartupInfoW
GetModuleFileNameA
TerminateProcess
GetModuleHandleW
Sleep
LoadLibraryExW
OutputDebugStringW
CreateDirectoryW
DisconnectNamedPipe
ConnectNamedPipe
CreateThread
CreateProcessW
GetTickCount
GetFileAttributesW
FindNextFileW
DeleteFileW
FindFirstFileW
GetTempPathW - source
- Static Parser
- relevance
- 1/10
-
Installs hooks/patches the running process
- details
- "<Input Sample>" wrote bytes "004fed41" to virtual address "0x6A2B2AFC" (part of module "CLR.DLL")
- source
- Hook Detection
- relevance
- 10/10
-
Reads information about supported languages
- details
-
"<Input Sample>" (Path: "HKLM\SYSTEM\CONTROLSET001\CONTROL\NLS\CUSTOMLOCALE"; Key: "EN-US")
"<Input Sample>" (Path: "HKLM\SYSTEM\CONTROLSET001\CONTROL\NLS\EXTENDEDLOCALE"; Key: "EN-US")
"<Input Sample>" (Path: "HKLM\SYSTEM\CONTROLSET001\CONTROL\NLS\LOCALE"; Key: "00000409") - source
- Registry Access
- relevance
- 3/10
-
CRC value set in PE header does not match actual value
-
Hiding 5 Suspicious Indicators
- All indicators are available only in the private webservice or standalone version
-
Informative 11
-
Environment Awareness
-
Contains ability to query machine time
- details
-
GetSystemTimeAsFileTime@KERNEL32.DLL from f2b098cea47ede322e0843a3b4230e1e71407bb9f3eabcafc214a1bd6f5cc8d1.exe (PID: 1616) (Show Stream)
GetSystemTimeAsFileTime@KERNEL32.DLL from f2b098cea47ede322e0843a3b4230e1e71407bb9f3eabcafc214a1bd6f5cc8d1.exe (PID: 1616) (Show Stream) - source
- Hybrid Analysis Technology
- relevance
- 1/10
-
Contains ability to query machine time
-
General
-
Contacts domains
- details
- "instance-sr5cl3-relay.screenconnect.com"
- source
- Network Traffic
- relevance
- 1/10
-
Contacts server
- details
- "167.114.35.222:443"
- source
- Network Traffic
- relevance
- 1/10
-
Contains PDB pathways
- details
-
"%USERPROFILE%\Source\ScreenConnectWork\Custom\DotNetRunner\Release\DotNetRunner.pdb"
"E:\delivery\Dev\wix37_public\build\ship\x86\SfxCA.pdb"
"E:\delivery\Dev\wix37_public\build\ship\x86\wixca.pdb"
"%USERPROFILE%\Source\ScreenConnectWork\Custom\DotNetRunner\DotNetResolver\obj\Release\DotNetResolver.pdb"
"!"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~EEE00P('8PW700PP (`h`hhhxppwppH RSDS_2Kx E:\delivery\Dev\wix37_public\build\ship\x86\SfxCA.pdb@00@L@(8hTdlh@TL(s`JKS~[OcZclx0cL"hiinpovz%K^SOI"LTrh~|bL2zpbTH80"lD,*6LXn.DZj&<L^t`gJstyv}w1 "/36:>?0@LNPrx{msi.dllCabinet.dllEPathFileExistsWSHLWAPI.dllOLEAUT32.dllbFreeLibraryEGetProcAddressGetLastError?LoadLibraryWCreateDirectoryWgMultiByteToWideCharCreateEventWRCloseHandleWaitForSingleObjectYSetEventDisconnectNamedPipeBCancelIo8GetOverlappedResultWaitForMultipleObjectsReadFileResetEvent%WriteFileWaitNamedPipeWeConnectNamedPipeCreateNamedPipeWCreateFileWCreateThreadGetExitCodeProcessCreateProcessWpGetSystemDirectoryWGetModuleFileNameWGetTickCountGetFileAttributesWRemoveDirectoryW.FindCloseEFindNextFileWDeleteFileW9FindFirstFileWGetTempPathWKERNEL32.dllfSetFilePointerGetFileTypeHeapAllocHeapFreeWideCharToMultiByteGetConsoleCPGetConsoleModeGetCurrentThreadIdDecodePointerGetCommandLineAUnhandledExceptionFilterSetUnhandledExceptionFilterIsDebuggerPresentEncodePointerTerminateProcessGetCurrentProcessSetStdHandleEnterCriticalSectionInitializeCriticalSectionAndSpinCount9LeaveCriticalSectionoSetHandleCountdGetStdHandlecGetStartupInfoWDeleteCriticalSectionSSetEndOfFileJGetProcessHeapGetModuleHandleWExitProcessHeapCreateHeapDestroySleep$WriteConsoleWTlsAllocTlsGetValueTlsSetValueTlsFreeInterlockedIncrementsSetLastErrorInterlockedDecrementRaiseExceptionIsProcessorFeaturePresentGetModuleFileNameAaFreeEnvironmentStringsWGetEnvironmentStringsWQueryPerformanceCounterGetCurrentProcessIdyGetSystemTimeAsFileTimeRtlUnwindHeapReAllocrGetCPInfohGetACP7GetOEMCP", "!"#$%&'()*+
-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~GetProcessWindowStationGetUserObjectInformationWGetLastActivePopupGetActiveWindowMessageBoxWUSER32.DLLCONOUT$EEE00P('8PW700PP (`h`hhhxppwppH@@` RSDS=nK2fkE:\delivery\Dev\wix37_public\build\ship\x86\wixca.pdb0PVt#M\" - source
- File/Memory
- relevance
- 1/10
-
Creates a writable file in a temporary directory
- details
- "<Input Sample>" created file "%TEMP%\setup.msi"
- source
- API Call
- relevance
- 1/10
-
Creates mutants
- details
-
"\Sessions\1\BaseNamedObjects\Local\ZonesCounterMutex"
"\Sessions\1\BaseNamedObjects\Local\ZoneAttributeCacheCounterMutex"
"\Sessions\1\BaseNamedObjects\Local\ZonesCacheCounterMutex"
"\Sessions\1\BaseNamedObjects\Local\ZonesLockedCacheCounterMutex" - source
- Created Mutant
- relevance
- 3/10
-
Loads the .NET runtime environment
- details
- "<Input Sample>" loaded module "%WINDIR%\assembly\NativeImages_v4.0.30319_32\mscorlib\51e2934144ba15628ba5a31be2dae7dc\mscorlib.ni.dll" at 692F0000
- source
- Loaded Module
-
The input sample is signed with a certificate
- details
-
The input sample is signed with a certificate issued by "CN=UTN-USERFirst-Object, OU=http://www.usertrust.com, O=The USERTRUST Network, L=Salt Lake City, ST=UT, C=US" (SHA1: 03:A5:B1:46:63:EB:12:02:30:91:B8:4A:6D:6A:68:BC:87:1D:E6:6B; see report for more information)
The input sample is signed with a certificate issued by "CN=COMODO RSA Code Signing CA, O=COMODO CA Limited, L=Salford, ST=Greater Manchester, C=GB" (SHA1: A4:1A:37:D0:27:0D:84:33:C3:CD:02:20:24:8A:D8:4A:5A:6A:1A:26; see report for more information)
The input sample is signed with a certificate issued by "CN=AddTrust External CA Root, OU=AddTrust External TTP Network, O=AddTrust AB, C=SE" (SHA1: F5:AD:0B:CC:1A:D5:6C:D1:50:72:5B:1C:86:6C:30:AD:92:EF:21:B0; see report for more information)
The input sample is signed with a certificate issued by "CN=COMODO RSA Certification Authority, O=COMODO CA Limited, L=Salford, ST=Greater Manchester, C=GB" (SHA1: B6:9E:75:2B:BE:88:B4:45:82:00:A7:C0:F4:F5:B3:CC:E6:F3:5B:47; see report for more information) - source
- Certificate Data
- relevance
- 10/10
-
Contacts domains
-
Installation/Persistance
-
Connects to LPC ports
- details
- "<Input Sample>" connecting to "\ThemeApiPort"
- source
- API Call
- relevance
- 1/10
-
Dropped files
- details
-
"MSI5B82.tmp" has type "PE32 executable (DLL) (GUI) Intel 80386 for MS Windows"
"setup.msi" has type "Composite Document File V2 Document Little Endian O%WINDIR%\Version 6.2 Code page: 1252 Title: Installation Database Subject: Default Author: ScreenConnect Software Keywords: Default Comments: Default Template: Intel;1033 Revision Number: {2452B08F-47D6-408B-AC4F-5507260A4210} Create Time/Date: Wed Feb 24 17:26:06 2016 Last Saved Time/Date: Wed Feb 24 17:26:06 2016 Number of Pages: 200 Number of Words: 2 Name of Creating Applicatio%WINDIR%\Installer XML (3.7.1224.0) Security: 2" - source
- Binary File
- relevance
- 3/10
-
Connects to LPC ports
-
Network Related
-
Found potential URL in binary/memory
- details
-
Pattern match: "http://www.usertrust.com1"
Pattern match: "crl.usertrust.com/UTN-USERFirst-Object.crl05"
Pattern match: "http://ocsp.usertrust.com0"
Pattern match: "https://secure.comodo.net/CPS0C"
Pattern match: "crl.comodoca.com/COMODORSACodeSigningCA.crl0t"
Pattern match: "crt.comodoca.com/COMODORSACodeSigningCA.crt0$"
Pattern match: "http://ocsp.comodoca.com0$"
Pattern match: "crl.usertrust.com/AddTrustExternalCARoot.crl05"
Pattern match: "http://crl.comodoca.com/COMODORSACertificationAuthority.crl0q"
Pattern match: "http://crt.comodoca.com/COMODORSAAddTrustCA.crt0$"
Pattern match: "http://ocsp.comodoca.com0"
Pattern match: "R.wsl/&D{f7vh~@O9lK?!-2[hi6{y"
Pattern match: "uW0c.pk/{dKElI4@`1jn"
Heuristic match: "oTLlzYgoMy\!t.sL"
Pattern match: "fxmNr.NjN/VY6xf|{~FL11fPYwO&[3*zv~.p`]#!mtw#P!AA}p.=D:u@MeM"
Heuristic match: "*g?Z|{4P{pv`/\;?%IB9O~(yjpX`Bk/`9934L5C*qY_QkUl)y>UcR)_Cc'~\Xb<ZjfL>0E<%Vz1G.%a@8SajD(6TzQN L&.CtScS|h5J)}8j:0F1*qBt<`6)gLKTn2.Tl"
Pattern match: "e.kzR/X,=}j&T?wLGl%=7;$E2nZ"
Pattern match: "uO.WKF/k!4lpq_X8B39"
Heuristic match: "%JEE.EE"
Heuristic match: "fzwV!`*.Td" - source
- File/Memory
- relevance
- 10/10
-
Found potential URL in binary/memory
File Details
ScreenConnect.ClientSetup (6).exe
- Filename
- ScreenConnect.ClientSetup (6).exe
- Size
- 1.7MiB (1814160 bytes)
- Type
- peexe executable
- Description
- PE32 executable (GUI) Intel 80386, for MS Windows
- Architecture
- WINDOWS
- SHA256
- f2b098cea47ede322e0843a3b4230e1e71407bb9f3eabcafc214a1bd6f5cc8d1
- MD5
- 47fb453ae39baa4e10b9674d7c1619be
- SHA1
- 4a45981f0eb8ea6e8f88a3fe7565007b6bab66bf
- ssdeep
- 49152:D/YT0+TL3Z0af4FWPlK9tRdlMU41SGi2LcpKJsA4:D/fzFWtCnMnoG9iHr
- imphash
- 666d4d664eb96956dd07ae85aa6e6a0e
- authentihash
- 0ff4593f3514852bb6825a5587ec756f6b89eb630c0000be6e8b5359171db8a7
- PDB Pathway
File Sections
Details | ||||||
---|---|---|---|---|---|---|
File Resources
Details | ||||
---|---|---|---|---|
File Imports
File Certificates
Owner | Issuer | Validity | Hashes (MD5, SHA1) |
---|---|---|---|
CN=COMODO SHA-1 Time Stamping Signer, O=COMODO CA Limited, L=Salford, ST=Greater Manchester, C=GB | CN=UTN-USERFirst-Object, OU=http://www.usertrust.com, O=The USERTRUST Network, L=Salt Lake City, ST=UT, C=US Serial: 1688f039255e638e69143907e6330b |
12/31/2015 01:00:00 07/09/2019 20:40:36 |
8F:C6:01:B2:F5:01:26:30:60:AC:8D:52:9D:37:A2:94 03:A5:B1:46:63:EB:12:02:30:91:B8:4A:6D:6A:68:BC:87:1D:E6:6B |
CN=ScreenConnect Software, O=ScreenConnect Software, OID.2.5.4.18=33634, STREET="4110 George Road, Suite 200", L=Tampa, ST=Florida, OID.2.5.4.17=33634, C=US | CN=COMODO RSA Code Signing CA, O=COMODO CA Limited, L=Salford, ST=Greater Manchester, C=GB Serial: 4a03dbce32c5a34420a419fb740aa1a |
02/02/2016 01:00:00 02/02/2019 00:59:59 |
45:37:90:B6:14:9C:C2:3B:1C:9E:C2:AC:9D:3E:D2:B5 A4:1A:37:D0:27:0D:84:33:C3:CD:02:20:24:8A:D8:4A:5A:6A:1A:26 |
CN=COMODO RSA Certification Authority, O=COMODO CA Limited, L=Salford, ST=Greater Manchester, C=GB | CN=AddTrust External CA Root, OU=AddTrust External TTP Network, O=AddTrust AB, C=SE Serial: 2766ee56eb49f38eabd770a2fc84de22 |
05/30/2000 12:48:38 05/30/2020 12:48:38 |
1E:DA:F9:AE:99:CE:29:20:66:7D:0E:9A:8B:3F:8C:9C F5:AD:0B:CC:1A:D5:6C:D1:50:72:5B:1C:86:6C:30:AD:92:EF:21:B0 |
CN=COMODO RSA Code Signing CA, O=COMODO CA Limited, L=Salford, ST=Greater Manchester, C=GB | CN=COMODO RSA Certification Authority, O=COMODO CA Limited, L=Salford, ST=Greater Manchester, C=GB Serial: 2e7c87cc0e934a52fe94fd1cb7cd34af |
05/09/2013 02:00:00 05/09/2028 01:59:59 |
AA:37:4C:C0:0B:ED:2E:1E:A6:91:EF:41:5B:80:8F:E1 B6:9E:75:2B:BE:88:B4:45:82:00:A7:C0:F4:F5:B3:CC:E6:F3:5B:47 |
Screenshots
Loading content, please wait...
Hybrid Analysis
Tip: Click an analysed process below to view more details.
Analysed 2 processes in total (System Resource Monitor).
-
Input Sample
(PID: 1616)
- msiexec.exe /i "%TEMP%\setup.msi" (PID: 2548)
Network Analysis
DNS Requests
Domain | Address | Registrar | Country |
---|---|---|---|
instance-sr5cl3-relay.screenconnect.com | - | - | - |
Contacted Hosts
IP Address | Port/Protocol | Associated Process | Details |
---|---|---|---|
167.114.35.222 |
443
TCP |
- |
Canada
ASN: 16276 (OVH SAS) |
Contacted Countries
HTTP Traffic
No relevant HTTP requests were made.
Extracted Strings
Extracted Files
-
Malicious 1
-
-
MSI5B82.tmp
- Size
- 289KiB (295796 bytes)
- Type
- PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
- AV Scan Result
- Labeled as "BehavesLike.Downloader" (1/57)
- Runtime Process
- msiexec.exe (PID: 2548)
- MD5
- 25911a65ceb0aa43da776c8b10ce685f
- SHA1
- 21c71720b4aee3d7b70b0805c202a9e6ad05ba8c
- SHA256
- 2ae6dafdf8235fadb3858c37c798b1ec924eca486838a676c85cc9e36de97840
-
-
Informative 1
-
-
setup.msi
- Size
- 984KiB (1007616 bytes)
- Type
- Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.2, Code page: 1252, Title: Installation Database, Subject: Default, Author: ScreenConnect Software, Keywords: Default, Comments: Default, Template: Intel;1033, Revision Number: {2452B08F-47D6-408B-AC4F-5507260A4210}, Create Time/Date: Wed Feb 24 17:26:06 2016, Last Saved Time/Date: Wed Feb 24 17:26:06 2016, Number of Pages: 200, Number of Words: 2, Name of Creating Application: Windows Installer XML (3.7.1224.0), Security: 2
- Runtime Process
- f2b098cea47ede322e0843a3b4230e1e71407bb9f3eabcafc214a1bd6f5cc8d1.exe (PID: 1616)
- MD5
- e575ac07dc0765b6e72c9b1e6154c323
- SHA1
- eed72ba8b27797f0eb7e7bbe40fd04c15c8d0a93
- SHA256
- 25cc22bb670a2161cf2e45758baab443ddfddd95d063c5b858a64ac9b0ff7417
-
Notifications
-
Runtime
- Dropped file "setup.msi" was unknown to VirusTotal, submitted file for scanning (Permalink: "https://www.virustotal.com/file/25cc22bb670a2161cf2e45758baab443ddfddd95d063c5b858a64ac9b0ff7417/analysis/1463675464/")
- Not all sources for signature ID "api-38" are available in the report
- Not all sources for signature ID "api-55" are available in the report
- Not all sources for signature ID "string-3" are available in the report
- Not all strings are visible in the report, because the maximum number of strings was reached (5000)
- Sample was unknown to VirusTotal, submitted file for scanning (Permalink: "https://www.virustotal.com/file/f2b098cea47ede322e0843a3b4230e1e71407bb9f3eabcafc214a1bd6f5cc8d1/analysis/1463675414/")